You should be able to add something to  cfg.d/user_validate.pl to run a regular _expression_ or whatever analysis you want over the the password provided and return a warning message if the password does not meet required standards.  However, admins can typically ignore validation warnings, so to ensure they cannot set a less than secure password, you should probably also use cfg.d/user_fields_automatic.pl to make sure the new password gets unset, (so the password is not updated in the user record until their new password is considered sufficiently secure). You may have to separately write something for /cgi/register to check the initial password a user wants to set, if you allow new users to register rather than having accounts initially created for them.

On 26/09/2025 7:40 am, Agung Prasetyo W. wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Hi,

I'd like to ask, is it possible that when a user or admin changes their password, the password must be at least 14 characters long?
This is related to institutional security standards, which require a minimum password length of 14 characters.
It would be better if passwords also met the standard for uppercase letters, lowercase letters, numbers, and symbols.

Thank you.

Regards,

Agung PW

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/